Author Archive: Karthik

The Power of Interdisciplinary Research

I was privileged to give the keynote presentation at Norwich University’s Undergraduate Research Symposium recently, entitled “Keeping an Open Mind.” I still remember being a summer research fellow in math at Norwich, my alma mater, in 2004 and then pursuing independent studies in computer security my junior and senior years. Gaining the experience of research while still an undergrad eased my transition into a professional career in security research.

© 2013 Norwich University

© 2013 Norwich University

My message to the audience was that interdisciplinary research is possible, important, and fun. I used EO Wilson’s philosophy of consilience to reason why knowledge from diverse disciplines ought to mix: “The goal of consilience is to achieve progressive unification of all strands of knowledge in service to the indefinite betterment of the human condition.” This notion applies to our own industry of software security:  a leading practitioner would arguably be well-versed in computer science, discrete math, software engineering, systems engineering, and psychology, among other disciplines.

To demonstrate that interdisciplinary research is important I used two examples. First, the research of Prof. Kevin Warwick of the University of Reading in the UK and its potential for treating people with damaged nervous systems. Second, that of Alan Turing’s interdisciplinary work during World War II. Turing’s contributions are said to have shortened the length of the war by two years. Finally, I used the example of the winners of the 2013 Ig Nobel awards to say that research is fun and it can make us laugh and think.

I followed with practical advice about approaching research with an open mind, tracking your ideas, working with a collaborative spirit, and finding your passion in research:  when you become intrinsically motivated to learn something then there’s no stopping you – something we can all keep in mind throughout our careers.

Karthik Raman
Security Researcher

Recon 2013

Recon, held annually in Montreal, Canada, has a reputation for being one of the best technical security conferences in the world. I was once again privileged to attend Recon (June 21-23) and this year’s conference did not disappoint.

Slides from the conference are up here on the conference Web site. As a security defender, I especially enjoyed learning about the innards of EMET 4.0 from Elias Bachaalany of the Microsoft Security Response Center (MSRC). Christopher Domas’s talk on using visualization for reverse engineering will strike a chord with anyone who has thought about using the human brain’s formidable pattern-recognition capabilities for sifting through masses of data — in this case, binary data.

Recon is known for assembling researchers from the US, Canada, Europe, and many other parts of the world and it was fun, as always, to engage in conversations with friends, colleagues, partners, and the independent research community.

Vieux-Montréal (Old Montreal) is a 15-minute walk away from the conference venue and at sunset it is more than pleasant there:





Until belle Montreal beckons again!

Karthik Raman
Security Researcher

Reader 9.x Reaches End-of-Life

In line with the Adobe Support Lifecycle Policy, Adobe’s Acrobat 9.x and Reader 9.x suite of products reached their end-of-life (EOL) today, June 26, 2013. This means that Adobe will no longer provide security or other updates to this product suite.

Over the years, we’ve made several security enhancements in the successors of Reader 9, Reader X and Reader XI, including the Protected Mode (aka “sandboxing”) and Protected View. There has never been a better time to upgrade to Reader XI. Please upgrade, ensure automatic updates are turned on, and stay secure!

Karthik Raman

Security Researcher, ASSET

Collaboration for Better Software Security

At Adobe we have found that building working relationships between developers and vulnerability researchers is to the benefit of everyone–including, and especially, the general public. We will be speaking this week on this topic at the SOURCE Seattle 2012 conference. In our talk we’ll share case studies of successful developer-researcher collaboration by examining examples of security incidents including bug reports, zero-day attacks, and incident response.

If you’re going to be at SOURCE Seattle please drop by our talk: “Why Developers and Vulnerability Researchers Should Collaborate” at 12:10pm on Thursday, September 13. We’re eager to share what we have learned from our developer-researcher collaboration. And, of course, we especially look forward to catching up in hallway conversations!


Karthik Raman, Security Researcher, ASSET
David Rees, Lead Developer, Acrobat 3D

Making the JavaScript Blacklist Framework for Reader/Acrobat more Accessible

Hello everyone! Karthik here from the PSIRT Engineering team. One thing PSIRT always thinks about is presenting mitigations for classes of vulnerabilities. When a product patch is not immediately available, alternative mitigations become even more valuable. To ease the mitigation deployment process we are releasing the JavaScript Blacklist Framework Tool which offers protections against an entire class of vulnerabilities related to the JavaScript API for Adobe Reader and Acrobat.

JavaScript exploits used to be one of the main attack vectors for Adobe Reader as well as the PDF format in general. In October 2009, Adobe introduced a series of security enhancements for managing JavaScript execution within Adobe Reader and Acrobat, all of which are described here.

One of these, the JavaScript API blacklist, proved invaluable only two months later when attackers launched targeted attacks against CVE-2009-4324. Both end-users and enterprises were able to completely mitigate attacks exploiting this vulnerability by blacklisting the individual JavaScript API. Since the technique simply involves adding new registry value entry to a particular registry key, some organizations we talked to were able to deploy a Group Policy Object with the updated registry entry to hundreds of thousands of machines within 24 hours.

To further refine this process for enterprise IT, the security team created a tool with a user interface for this feature, and it is now available on Adobe Labs.

Blacklist Tool Screenshot

Blacklist Tool Screenshot

The tool presents a list of JavaScript APIs that have been attacked in the past. It retrieves this list of APIs from an Adobe server. If an Internet connection is unavailable, it presents a default list. When you click on ‘View,’ it displays the current entries in the JavaScript Blacklist and saves this data in a text file in the directory the application is running from (usually its installation directory). You can check multiple APIs then ‘Add’ them to the JavaScript Blacklist or Remove them. Simple enough!

Note that the tool requires the Microsoft .NET 4.0 framework. The tool’s installer should prompt you to install dependencies automatically.

If you are a Windows sysadmin and have had to make changes to the JavaScript Blacklist by hand, this tool will make your life a little easier. To download the tool, visit Adobe Labs at The tool will work with the JavaScript Blacklist Framework on Reader 9.2 and 8.1.7 and later versions (including Reader X and Acrobat X) on Windows.

Karthik Raman, Security Researcher, PSIRT
Ben Rogers, Technical Writer, Acrobat & Reader Engineering